Changeset 2942090

Timestamp:

07/23/2023 12:59:44 PM (13 months ago)

Author:

ayeshrajans

Message:

Add v1.4

Location:

comment-form-csrf-protection

Files:

• tags/1.4 (added)
• tags/1.4/comment-form-csrf-protection.php (added)
• tags/1.4/composer.json (added)
• tags/1.4/readme.txt (added)
• trunk/comment-form-csrf-protection.php (modified) (3 diffs)
• trunk/readme.txt (modified) (4 diffs)

comment-form-csrf-protection/trunk/comment-form-csrf-protection.php

@@ -4 +4 @@
 Plugin URI: https://wordpress.org/plugins/comment-form-csrf-protection
 Description: WordPress's default comment forms are not protected against Cross-Site Request Forgery. This plugin fixes that.
-Version: 1.2
+Version: 1.
 Author: Ayesh Karunaratne
 Author URI: https://aye.sh/open-source
@@ -17 +17 @@
     /**
      * This looks paranoid, but we use 2 tokens here. Seed, the "build_id" with a
-     * CSPRNG (PHP 7.0+). It's base64 encdoded to fit nicely within HTML attributes.
+     * CSPRNG (PHP 7.0+). It's base64 encoded to fit nicely within HTML attributes.
      *
      * Generate a traditional wp_nonce that makes use of the user session ID
      * and has a tick function to prevent replay attacks.
      *
-     * Secondly, we use out own csrf_token with a proper HMAC with sha256. wp_nonce
+     * Secondly, we use ou own csrf_token with a proper HMAC with sha256. wp_nonce
      * is generated with MD5, which we no longer consider secure enough.
      */
@@ -38 +38 @@
 
 add_action('pre_comment_on_post', function () {
-    $status = function (): bool {
+    $status = function (): bool {
         if (!isset($_POST['build_id'], $_POST['wp_nonce'], $_POST['csrf_token'])) {
             return FALSE;

comment-form-csrf-protection/trunk/readme.txt

@@ -3 +3 @@
 Tags: comments, spam, security, csrf
 Requires at least: 4.2
-Tested up to: 5.7
-Stable tag: 1.2
+Tested up to: 
+Stable tag: 1.
 Requires PHP: 7.1
 License: GPLv2 or later
@@ -11 +11 @@
 
 == Description ==
-WordPress has an 9 year old unfixed security vulnerability that it does not properly validate incoming comments.
+WordPress has aold unfixed security vulnerability that it does not properly validate incoming comments.
 
-An attacker can trick both anonymous and logged in users to post comments on a victim site without them realizing, while using their own credentials.
+An attacker can trick both anonymous and loggedin users to post comments on a victim site without them realizing, while using their own credentials.
 
 See this issue for more information: https://core.trac.wordpress.org/ticket/10931
@@ -19 +19 @@
 This is a tiny (fewer than 40 effect lines of code) module that adds a secure token to the comment form and validate it before accepting any comment, thus making your comment forms secure as they should\'ve been for all these years!
 
-It provides no UI - just install it and you are all set!
+It provides no UI - just install it and you are all set!
 
-1. This plugins adds a secret cryptographically-secure token to the comment form. This is a unique value and is computationally impractical to guess it.
-2. Upon comment subission, the comment is rejected if the secret tokens are not present or computationally invalid.
+1. This plugin adds a secret cryptographically-secure token to the comment form. This is a unique value and is computationally impractical to guess it.
+2. Upon comment subission, the comment is rejected if the secret tokens are not present or computationally invalid.
 
 == Installation ==
@@ -37 +37 @@
 
 = 1.1 =
-This is a minor release that contains minimal changes.
+This is a minor release that contains minimal changes.
 
- - Marks the plugin as tested up-to WordPress 5.3
- - Fix in `composer.json` file that it required PHP^7.2 instead of intended ^7.1
- - A micro optimization in the plugin to call the lambda function directly within the CSRF check.
+ Marks the plugin as tested up-to WordPress 5.3
+ Fix in `composer.json` file that it required PHP^7.2 instead of intended ^7.1
+ A micro optimization in the plugin to call the lambda function directly within the CSRF check.
 
-= 1.2 =
-Updating WordPress tested up to: 5.7
+= 1. =
+Minor release that contains several typo fixes and WordPress 6.3 compatibility